mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 00:14:44 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

mod_apparmor: try uri hat after AADefaultHatName, not before

Browse source 
In trunk revno 2335, a bug was fixed in mod_apparmor that corrected
the storage location for AADefaultHatName.  The incorrect storage
caused the hat specified by the AADefaultHatName keyword to be the
default value for AAHatName, and meant that if both an AAHatName and
an AADefaultHatName entry were given in a vhost, mod_apparmor would
not fall back to trying AADefaultHatName if the hat specified in
AAHatName did not exist in the apache apparmor profile.

However, because the value specified in AADefaultHatName was the
default, if no AAHatName was specified, it would be attempted first,
before a hat based on the passed URI, rather than after as the
documentation stated and the code intended. By fixing the storage bug,
the attempted hat ordering now matched the documentation. But a number
of users came to rely on AADefaultHatName being attempted before
the URI. For trunk, this issue is less severe because mod_apparmor
passes a vector of hats to aa_change_hatv(), and thus missing URI
hats are not logged by the kernel apparmor bits. It still represents
a behavioral change to users, though.

This patch re-adjusts the ordering so that the URI-based hat is
attempted after the hat specified by AADefaultHatName is attempted,
thus maintaining the actual behavior before the bug addressed in
revno 2335 was fixed.

Patch history:
  v1: initial revision
  v2: no code changes; adjust comments and improve the man page
      documentation

Signed-off-by: Steve Beattie <steve@nxnw.org>
Acked-by: John Johansen <john.johansen@canonical.com>
This commit is contained in:
Steve Beattie 2014-07-08 00:39:05 -07:00
parent 0f6be43d8e
commit 372764355a
2 changed files with 20 additions and 21 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
changehat/mod_apparmor/mod_apparmor.c
View file

@ -122,8 +122,8 @@ debug_dump_uri(request_rec *r)
/*
immunix_enter_hat will attempt to change_hat in the following order:
(1) to a hatname in a location directive
(2) to the uri
(3) to a per-server default
(2) to the server name or a defined per-server default
(3) to the uri
(4) to DEFAULT_URI
(5) back to the parent profile
*/
@ -159,10 +159,6 @@ immunix_enter_hat (request_rec *r)
aa_hat_array[i++] = dcfg->hat_name;
}
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
"[uri] adding uri '%s' to aa_change_hat vector", r->uri);
aa_hat_array[i++] = r->uri;
if (scfg) {
ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r, "Dumping scfg info: "
"scfg='0x%lx' scfg->hat_name='%s'",
@ -183,6 +179,10 @@ immunix_enter_hat (request_rec *r)
}
}
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
"[uri] adding uri '%s' to aa_change_hat vector", r->uri);
aa_hat_array[i++] = r->uri;
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
"[default] adding '%s' to aa_change_hat vector", DEFAULT_URI_HAT);
aa_hat_array[i++] = DEFAULT_URI_HAT;

29
changehat/mod_apparmor/mod_apparmor.pod
View file

@ -40,10 +40,10 @@ apache2(8)/httpd(8) configuration files, and restart Apache. Make sure that
apparmor is also functioning.
Once mod_apparmor is loaded within Apache, all requests to Apache will
cause mod_apparmor to attempt to change into a hat named by the URI
(e.g. /app/some.cgi). If no such hat is found, it will first fall
back by attempting to change into a hat that matches the ServerName
for the server/vhost. If that hat is not found, it will fall back to
cause mod_apparmor to attempt to change into a hat that matches the
ServerName for the server/vhost. If no such hat is found, it will
first fall back by attempting to change into a hat named by the URI
(e.g. /app/some.cgi). If that hat is not found, it will fall back to
attempting to use the hat DEFAULT_URI; if that also does not exist,
it will fall back to using the global Apache profile. Most static
web pages can simply make use of the DEFAULT_URI hat.
@ -72,14 +72,13 @@ behavior described above.
=item B<AADefaultHatName>
AADefaultHatName allows you to specify a default hat to be used
for virtual hosts and other Apache server directives, so that you
can have different defaults for different virtual hosts. This can
be overridden by the AAHatName directive and is checked for only if
there isn't a matching AAHatName or hat named by the URI. The default
value of AADefaultHatName is the ServerName for the server/vhost
configuration. If the AADefaultHatName hat does not exist, it falls
back to the DEFAULT_URI hat if it exists (as described above).
AADefaultHatName allows you to specify a default hat to be used for
virtual hosts and other Apache server directives, so that you can have
different defaults for different virtual hosts. This can be overridden
by the AAHatName directive and is checked for only if there isn't
a matching AAHatName. The default value of AADefaultHatName is the
ServerName for the server/vhost configuration. If the AADefaultHatName
hat does not exist, then it falls back to the behavior described above.
=back
@ -99,12 +98,12 @@ will:
1. try to aa_change_hat(2) into a matching AAHatName hat if it exists and
applies, otherwise it will
2. try to aa_change_hat(2) into the URI itself, otherwise it will
3. try to aa_change_hat(2) into an AADefaultHatName hat, either the
2. try to aa_change_hat(2) into an AADefaultHatName hat, either the
ServerName (the default) or the configuration value specified by the
AADefaultHatName directive, for the server/vhost, otherwise it will
3. try to aa_change_hat(2) into the URI itself, otherwise it will
4. try to aa_change_hat(2) into the DEFAULT_URI hat, if it exists, otherwise it
will